On Tue, Oct 25, 2011 at 06:41:21PM +0200, Christoph Trassl wrote: > On 10/25/2011 05:30 PM, Till Maas wrote: > > On Tue, Oct 25, 2011 at 01:45:45PM +0200, Christoph Trassl wrote: > >> On 10/25/2011 09:33 AM, Michal Hlavinka wrote: > >>> On 10/25/2011 09:30 AM, Harald Hoyer wrote: > >>>> On 10/25/2011 09:15 AM, Harald Hoyer wrote: > >>>>> It's not only an aesthetic issue. This enables > >>>>> possibilities, which were not doable before. > >>> ... > >>>> - mount rootfs encrypted - mount /usr not encrypted (no secrets > >>>> here) > >>> > >>> this is already possible, I use this setup for a long time. > >> > >> Does not seem to make any sense to me, unless you verify that no > >> one has messed with your binaries/libraries in /usr. > > > > Does not seem to make any sense to me, unless you verify that no one > > has messed with your kernel/bootloader in /boot or /dev/sda. > > Correct. > > Verifying the kernel/bootloader could easily been done within seconds - > at every boot. Yet as long as it is not done, encrypting /usr is no improvement. And even if it is done, you would also need to verify that nobody installed a keyboard logger on your device if your fear attackers that have easily physical access to the device in question. Regards Till -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
